Skip to content

[GHSA-cx25-xg7c-xfm5] Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability #6413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ryanmurf wants to merge 2 commits into from
Closed

[GHSA-cx25-xg7c-xfm5] Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability #6413

ryanmurf wants to merge 2 commits into from

Conversation

@ryanmurf
Copy link

@ryanmurf ryanmurf commented Nov 12, 2025

Updates

  • Affected products

Comments
struts 1.2.x has different groupId then 1.3.x

@ryanmurf ryanmurf requested review from Copilot November 12, 2025 16:29
@github-actions github-actions bot changed the base branch from main to ryanmurf/advisory-improvement-6413 November 12, 2025 16:30
Copilot AI reviewed Nov 12, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request updates the security advisory for CVE-2025-54656 to include an additional affected package entry. The advisory addresses an Improper Output Neutralization for Logs vulnerability in Apache Struts.

  • Adds support for the legacy struts:struts groupId (used in Struts 1.2.x)
  • Updates the modified timestamp

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

advisories/github-reviewed/2025/07/GHSA-cx25-xg7c-xfm5/GHSA-cx25-xg7c-xfm5.json
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.2.0"
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version range for struts:struts starts at '1.2.0', but other similar advisories (e.g., GHSA-5ggr-mpgw-3mgx, GHSA-7jw3-5q4w-89qg) consistently use '0' as the introduced version for this package. Unless there's a specific reason why versions before 1.2.0 are not affected, consider starting from '0' to maintain consistency with other advisories and ensure comprehensive coverage.

Suggested change
"introduced": "1.2.0"
"introduced": "0"

Copilot uses AI. Check for mistakes.
@ryanmurf ryanmurf closed this Nov 12, 2025
@github-actions github-actions bot deleted the ryanmurf-GHSA-cx25-xg7c-xfm5 branch November 12, 2025 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryanmurf